Security Researcher Demonstrates Healthcare.gov Vulnerabilities

Dave Kennedy Healthcaredotgov hearing

A select panel of experts met to discuss the security issues with Obama’s Healthcare.gov website. But only one of them demonstrated vulnerabilities live.

TrustedSEC CEO (and creator of the Social Engineering Toolkit) hit the ball out of the park yesterday at the Congressional Committee Hearing on the Affordable Healthcare Act – Healthcare.gov website security issues.

According to the opening statements by Chairman Lamar Smith, Healthcare.gov is “One of the largest collections of personal data in the world“. The site contains data from 7 different agencies, and includes personal information such as citizen’s birthdays and social security numbers.

According to the President, the website was safe, secure and open for business. But the administration has cut corners with the website that leaves the site open to hackers.

At the hearing, Kennedy said that through passive reconnaissance his company had discovered 17 different direct exposures which they reported. He would not talk about all of them, because as of the time of the hearing not all of them had been fixed. He then went on to actually demonstrate several possible ways that hackers could target the site.

David does not talk about all of the issues that they discovered, but their full report(PDF) that was submitted to congress is very interesting.

The report shows several issues that include:

  • Open Redirection (where a malicious re-direct link could be inserted into a Healthcare.gov link)
  • XML injection
  • JQuery File Upload
  • Exposed User Profiles!

But that is not all, there are also remnant website “test” links:

healthcare security issues

The Congressional Hearing and TrustedSEC’s report are both well worth your time.

Kudos to Dave, he did a phenomenal job, and as always, both expertly and professionally represented the white hat security field.

Advertisements

Hacking a Mobile Device’s Second Operating System

Great article on mobile phone insecurity last week on the OS News website. According to the article there are not one, but two operating systems at work in mobile communication devices that use 3G or LTE. The second operating system controls the radio and is based on 80’s communication standards and code written in the 90’s!

This age gap has led to the second operating system being very insecure. Exploits can work against the ARM controlled radio system just as they do any other device run operating system.

The standards were written in a time when security was much less of a priority and many things were trusted by default:

“For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.”

According to the article, remote code exploits for the radio system have been found that are as small as 73 bytes. But the bigger problem is the blind trust that the radio places in the towers.

A rogue tower could be obtained and setup by an attacker:

“While we can sort-of assume that the base stations in cell towers operated by large carriers are “safe”, the fact of the matter is that base stations are becoming a lot cheaper, and are being sold on eBay – and there are even open source base station software packages. Such base stations can be used to target phones.”

But what could an attacker actually do with it?

“Put a compromised base station in a crowded area – or even a financial district or some other sensitive area – and you can remotely turn on microphones, cameras, place rootkits, place calls/send SMS messages to expensive numbers, and so on. Yes, you can even brick phones permanently.”

With the absolute saturation of smart phones in urban areas, an attack like this could cause a lot of problems. And with the capabilities this would offer, one would have to assume that military and government cyber teams will be looking into this, if they have not already.

First Fully Functional 3D Printed Metal Firearm

There has been a lot of interest, and controversy, over the ability to “print” guns using a 3D printer. Up until now, most weapons that were printed were plastic only. Well, not any more.

Solid Concepts has created the first 1911 pistol using Direct Metal Laser Sintering (DLMS) 3D printing:

So just what in the world is DLMS?

The ability to create high strength metal parts via 3D printing is really a game changer. Some remote military facilities and research centers already have 3d printing capability.

And the ability to make their own metal parts will make them even more autonomous and self sufficient.